Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Published: 2026-03-09
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Apply patch
AI Analysis

Impact

ImageMagick’s MagnifyImage function uses a fixed-size stack buffer; a specially crafted image can overflow it, corrupting the stack and potentially allowing an attacker to execute arbitrary code. The flaw is a classic buffer overflow (CWE‑121 and CWE‑787).

Affected Systems

The vulnerability impacts all versions of ImageMagick older than 7.1.2‑16 and 6.9.13‑41. Any installation that processes images through MagnifyImage is susceptible.

Risk and Exploitability

With a CVSS score of 7.7 the flaw is high severity, but an EPSS below 1% indicates a low current exploitation probability. The vulnerability is not listed in the KEV catalog, so no widespread attacks have been reported. The likely attack vector is an attacker supplying a malicious image to a service that uses MagnifyImage, leading to complete code‑execution on the host system.

Generated by OpenCVE AI on April 16, 2026 at 10:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ImageMagick 7.1.2‑16 or 6.9.13‑41 where the buffer handling flaw has been fixed.
  • Configure any image‑processing services to reject or quarantine untrusted image sources before they reach MagnifyImage.
  • Optionally disable or remove the MagnifyImage operation for image types that originate from untrusted sources, or restrict its use to a whitelist of safe file formats.

Generated by OpenCVE AI on April 16, 2026 at 10:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
Github GHSA Github GHSA GHSA-rqq8-jh93-f4vg ImageMagick has stack buffer overflow in MagnifyImage
History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 09 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Title ImageMagick has a stack buffer overflow in MagnifyImage
Weaknesses CWE-121
CWE-787
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:52:41.954Z

Reserved: 2026-03-07T16:40:05.885Z

Link: CVE-2026-30929

cve-icon Vulnrichment

Updated: 2026-03-10T14:52:38.534Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:44:57.127

Modified: 2026-03-13T17:02:14.297

Link: CVE-2026-30929

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-09T21:46:31Z

Links: CVE-2026-30929 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses